Overview
Explore the intricacies of Windows Desktop Window Manager (DWM) vulnerabilities in this 46-minute conference talk from Hack In The Box Security Conference. Delve into the architecture of DWM and its interaction with low-privileged users, uncovering a significant attack surface within the Windows graphics component. Examine 10 discovered bugs in the DWM process, all acknowledged by Microsoft, and gain insights into the reverse engineering process that revealed special features like restart recovery and exception handling. Learn about six specific vulnerability cases, including out-of-bound access, untrusted pointer reference, type confusion, and use-after-free issues. Understand the implementation details of DirectComposition in user and kernel modes, and discover the security challenges in shared memory communication. Compare manual code auditing and fuzzing techniques for vulnerability detection, and grasp the importance of auditing user-mode code in addition to kernel-side vulnerabilities.
Syllabus
#HITB2023AMS D1T1 - Hunting Windows Desktop Window Manager Bugs - Z. WangJunjie, Y. He & W. Li
Taught by
Hack In The Box Security Conference